How do I replace a string in a field in Logstash

2019-07-19 18:25发布

站内问答 / 前沿技术
449 1 4

I have an IP address field from the Windows event log that contains characters like "::fffff:" in front of the IP address. I cannot change the source here, so I have to fix this in Logstash.

I must suck at googling, but I really can't find a simple way to just strip these characters from the ip-address fields in logstash.

I have tried for example

 if ("" in [event_data][IpAddress]) {
        mutate {
              add_field => { "client-host" => "%{[event_data][IpAddress]}"}
              gsub => ["client-host", ":", ""]
        }
        dns {
             action => "replace"
             reverse => [ "client-host" ]
        }
 }

but no luck, the colon is still there. How can I replace "::ffff:" in the string "::ffff:10.0.36.39" in Logstash?

1条回答
疯言疯语
2楼-- · 2019-07-19 18:38

The add_field isn't executed until after the gsub, so you need to break it up into two mutate blocks.

mutate {
  add_field => { "client-host" => "%{[event_data][IpAddress]}"}
}
mutate {
  gsub => ["client-host", "::ffff:", ""]
}

The specifc order that mutate works in:

rename(event) if @rename
update(event) if @update
replace(event) if @replace
convert(event) if @convert
gsub(event) if @gsub
uppercase(event) if @uppercase
lowercase(event) if @lowercase
strip(event) if @strip
remove(event) if @remove
split(event) if @split
join(event) if @join
merge(event) if @merge

filter_matched(event)

Where filter_matched has all of the standard actions like add_field

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)